Bug Bytes #62 – Talks worth watching in self-quarantine, $6K Google and Slack bug and bug hunting tips

By Intigriti

March 17, 2020

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 06 to 13 of March.

Our favorite 5 hacking items

1. Conference of the week

BSidesSF 2020, especially:

Panel: Let’s Get 360 w/Bug Bounty!

The GCP Metadata API

How To Write Like It’s Your Job

The Voight-Kampff Test for Discovering Vulnerabilities

Panel: Mental Health for Hackers

Non-Political Security Learnings from the Mueller Report

Transform Your Presentation Skills

The range of (interesting) topics tackled in this conference is amazing. There are at least 10 talks I really need to watch. During these difficult times of Coronavirus quarantine / social distancing, this is an excellent way to pass time.

2. Writeups of the week

– The unexpected Google wide domain check bypass (Google, $6,000)

Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies (Slack, $6,500)

These are two very impressive findings! The first one was found by analyzing a Regex found in obfuscated JavaScript code. It was used for URL validation in a Google app. @xdavidhu found a way to bypass the check. The impact was low/medium, but he later found that the vulnerable code was part of a JS library common to many Google Web apps including Gmail and Google Docs.The second vulnerability is an HTTP Request Smuggling CL.TE hijack attack found on Slack. It was possible to steal victims’ session cookies by redirecting them to an attacker-controlled Collaborator server. The writeup is pretty explanatory. And the attack could have been exploited for massive account takeovers.

3. Video of the week

@Mrtuxracer Talks About Monitoring Endpoints, Binary Exploitation, Continuous Recon and More!

This is @NahamSec’s latest interview, with @Mrtuxracer. I find it particularly interesting because of @Mrtuxracer’s approach. He explains his unique recon process, talks about continuous monitoring of JavaScript files and endpoints, some of his custom tools, API hacking, etc.This is definitely worth watching if you want to learn about bug hunting methodology, differentiating yourself, or which kind of custom tools other bug hunters are using.

4. Non technical item of the week

Bug Bounty Hunting Tips #4 — Develop a Process and Follow It

“Admittedly, it can feel great for the first hour or so but after that, you can start to become bored and frustrated if you don’t find anything. And without a structured bug bounty hunting process, you probably won’t find anything new.”Do this ring any bell? This excellent article goes over how to create a high-level process for bug hunting. Apart from technical methodologies, some decisions can help avoid frustration. This includes choosing a bug hunting approach, deciding minimum and maximum time to spend on a target and minimum time for writing reports.

5. Article of the week

Bug Business #2 – Hacking, traveling and vlogging with @STÖK

There are only two publications related to bug bounty that I wait for impatiently and devour as soon as they’re published: EdOverflow’s newsletter and this new interview series.

The first issue was with EdOverflow. The last one is an excellent read if you want to learn how Stök juggles between different projects, his filming process, how he manages full-time bug hunting without pulling all-nighters (Early birds, hello!)…

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

Tools

If you don’t have time

  • BGP Search: A Python wrapper for searching on https://bgp.tools (Takes organization name as input & output IP ranges)

  • iprobe: Take a list of IP addresses or IP range and probe for working HTTP and HTTPS servers (similar to httprobe but also takes IPs and IP ranges as input)

  • HTTP-FUZZER: Go fuzzer that is burp-compatible and able to fuzz some random parameters in the raw http request

More tools, if you have time

  • Sub-Drill: A very (very) simple Subdomain Finder based on online certification services (threatcrowd, hackertarget, crt.sh, certspotter & findsubdomains)

  • Exegol: A Kali light base with a few useful additional tools and some basic configuration

  • Brownie tub: A Standalone Web Shell Client

  • Mimimalistic AD Login Bruteforcer

  • Starkiller & Introduction: GUI application for interfacing with Empire. It allows for multi-user support and ease of operations

  • NTLM scanner: A simple python tool based on Impacket that tests servers for various known NTLM vulnerabilities

  • Password Guesser: Script to generate custom password wordlist to guess weak passwords

  • Sifter: OSINT, recon & vulnerability scanner in Bash for penetration testing

  • Callidus & Introduction: C# tool that allows red team operators to leverage O365 services for establishing command & control communication channel

Misc. pentest & bug bounty resources

Challenges

  • Exploit-workshop: A step by step workshop to exploit various vulnerabilities in Node.js and Java applications

Articles

News

Bug bounty & Pentest news

Reports

SMBGhost

Vulnerabilities

Breaches & Attacks

Coronavirus

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/06/2020 to 02/13/2020.

Curated by Pentester Land & Sponsored by Intigriti

You may also like